HIGH crlf injectiongrape

Crlf Injection in Grape

Scan for crlf injection in grape

How Crlf Injection Manifests in Grape

CRLF injection in Grape APIs occurs when untrusted input containing carriage return (\r) or line feed (\n) characters is used in HTTP response headers without proper sanitization. This vulnerability allows attackers to inject arbitrary HTTP headers or split responses, potentially leading to HTTP response splitting, session fixation, cross-site scripting, or cache poisoning.

In Grape applications, CRLF injection commonly appears in these contexts:

  • Response headers: Custom headers generated from user input, such as X-Custom-Header: <%= params[:value] %>
  • Location redirects: Redirect URLs constructed from query parameters without validation
  • Set-Cookie headers: Cookie values containing CRLF sequences
  • Custom status messages: HTTP status descriptions built from user data

Here's a vulnerable Grape endpoint that demonstrates the issue:

class VulnerableAPI < Grape::API
  get :redirect do
    # DANGEROUS: User input directly in Location header
    redirect_url = params[:url] || '/default'
    redirect redirect_url
  end

  get :custom_header do
    # DANGEROUS: Header injection possible
    header_value = params[:value] || 'default'
    header 'X-Custom-Header', header_value
    { message: 'Header set' }
  end

  get :set_cookie do
    # DANGEROUS: Cookie injection possible
    cookie_value = params[:value] || 'default'
    cookie 'session_id', cookie_value
  end
end

An attacker could exploit the redirect endpoint with: /redirect?url=http://evil.com%0D%0ASet-Cookie:%20session=malicious, which would inject a Set-Cookie header into the response.

Grape-Specific Detection

Detecting CRLF injection in Grape APIs requires both static code analysis and runtime scanning. Here are Grape-specific detection strategies:

Static Analysis: Review code for patterns where user input flows into response headers. Look for:

  • Direct parameter usage in redirect, header, or cookie methods
  • String interpolation in header values without sanitization
  • Dynamic header construction based on user input

Runtime Scanning with middleBrick: middleBrick's black-box scanning approach is particularly effective for CRLF injection because it:

  • Tests endpoints with CRLF payloads (%0D%0A for URL encoding)
  • Analyzes response headers for unexpected header injection
  • Checks for HTTP response splitting by sending multiple response lines
  • Verifies proper header encoding and validation

middleBrick's CRLF Detection includes:

CRLF Injection Scan Results:
- Test: Header Injection (X-Test-Header)
  Payload: %0D%0AX-Test-Header:%20injected
  Result: No injection detected ✓

- Test: Response Splitting
  Payload: %0D%0AContent-Type:%20text/html%0D%0A%0D%0A<script>alert(1)</script>
  Result: No response splitting detected ✓

- Test: Cookie Injection
  Payload: %0D%0ASet-Cookie:%20malicious=value
  Result: No cookie injection detected ✓

middleBrick also scans OpenAPI specifications for header definitions that might accept unsafe input and cross-references these with runtime findings.

Grape-Specific Remediation

Securing Grape APIs against CRLF injection requires input validation and proper header handling. Here are specific remediation strategies:

Input Sanitization: Use Grape's built-in parameter validation to whitelist acceptable characters:

class SecureAPI < Grape::API
  params do
    requires :url, type: String, allow_blank: false, 
              regexp: //(https?://)?[\-\w]+(\.\w+)+([/?#][^\s]*)?/i
    requires :value, type: String, allow_blank: false, 
              regexp: /^[^\r\n]*$/ # No CRLF characters
  end
  get :redirect do
    redirect params[:url]
  end

  params do
    requires :value, type: String, 
              regexp: /^[^\r\n]*$/ # Block CRLF
  end
  get :custom_header do
    header 'X-Custom-Header', params[:value]
    { message: 'Header set' }
  end
end

Safe Header Construction: Use Grape's safe header methods and validate input:

class SecureAPI < Grape::API
  helpers do
    def safe_redirect(url)
      # Validate URL format and sanitize
      sanitized_url = URI.parse(url).normalize.to_s
      # Check for CRLF injection
      raise 'Invalid URL' if sanitized_url.include?("\r") || sanitized_url.include?("\n")
      redirect sanitized_url
    end

    def safe_set_cookie(name, value)
      # Remove any CRLF characters
      sanitized_value = value.gsub(/[
]/, '')
      cookie name, sanitized_value
    end
  end

  get :redirect do
    safe_redirect(params[:url] || '/default')
  end

  get :set_cookie do
    safe_set_cookie('session_id', params[:value] || 'default')
  end
end

Header Whitelisting: Only allow specific, known-safe headers:

class SecureAPI < Grape::API
  ALLOWED_HEADERS = %w[Content-Type Cache-Control X-Custom-Header].freeze

  get :custom_header do
    header_name = params[:header_name]
    header_value = params[:header_value]

    if ALLOWED_HEADERS.include?(header_name)
      # Sanitize value
      sanitized_value = header_value.gsub(/[
]/, '')
      header header_name, sanitized_value
      { message: 'Header set' }
    else
      error!('Invalid header', 400)
    end
  end
end

Content Security Policy: Add CSP headers to mitigate XSS from successful CRLF attacks:

class SecureAPI < Grape::API
  before do
    header 'Content-Security-Policy', "default-src 'self'; script-src 'self'"
  end
end
Scan for crlf injection in grape Free API security scan

Frequently Asked Questions

How does CRLF injection differ from other injection attacks in Grape?
CRLF injection specifically targets HTTP protocol structure by injecting carriage return and line feed characters, allowing attackers to add new headers or split responses. Unlike SQL injection or XSS, it manipulates the HTTP protocol itself rather than application logic or rendering. In Grape, this often occurs through response headers, redirects, and cookies where user input isn't properly sanitized.
Can middleBrick detect CRLF injection in my Grape API?
Yes, middleBrick's black-box scanning tests your Grape API endpoints with CRLF payloads and analyzes responses for header injection, response splitting, and cookie manipulation. The scanner sends encoded CRLF sequences (%0D%0A) in parameters that flow to headers and checks if the API properly sanitizes or rejects these inputs. middleBrick provides specific findings with severity levels and remediation guidance for any CRLF vulnerabilities discovered.

Related Pages

Crlf Injection in Grape on NetlifyCrlf Injection in Grape behind Netlify: risks, sanitization, and Netlify-specific fixes with code examples.Crlf Injection in Grape on Fly IoUnderstand Crlf Injection in Grape on Fly Io and apply Fly Io-specific code fixes to prevent HTTP response splitting.Crlf Injection in Grape on DigitaloceanLearn how Crlf Injection manifests in Grape APIs on Digitalocean, and apply concrete code fixes to sanitize headers and Hipaa: Crlf Injection in GrapeUnderstand HIPAA risks from CRLF injection in Grape APIs and apply concrete code fixes to sanitize headers, status codesGdpr: Crlf Injection in GrapeExplore GDPR implications of CRLF injection in Grape APIs, with concrete remediation examples and secure coding practiceCrlf Injection in Grape with Bearer TokensUnderstand CRLF Injection in Grape APIs using Bearer Tokens, with remediation code examples and token-specific fixes.Iso 27001: Crlf Injection in GrapeExplore ISO 27001 controls for Crlf Injection in Grape APIs, with concrete remediation code examples and how middleBrickCrlf Injection in Grape with Mutual TlsCrlf Injection in Grape with Mutual TLS: how transport security does not prevent header injection and concrete sanitizatCis: Crlf Injection in GrapeExplore Cis and Crlf Injection in Grape APIs, understand how configuration and identity settings expose risks, and applyCrlf Injection in Grape with Hmac SignaturesExplore Crlf Injection in Grape APIs using Hmac Signatures, with remediation code examples and prevention guidance.Crlf Injection in Grape with Basic AuthLearn how Crlf Injection can occur in Grape APIs using Basic Auth and how to remediate with explicit parsing and sanitizCrlf Injection in Grape with CockroachdbUnderstand and remediate CRLF Injection in Grape APIs with Cockroachdb. Concrete code examples, header safety, and param